Key derivation from PUFs

ABSTRACT

Some embodiments relate to an electronic cryptographic device (100) arranged to determine a cryptographic key. The cryptographic device is arranged for an enrollment phase and a later reconstruction phase. The cryptographic device comprising a physically unclonable function (PUF) (110) and a processor circuit. The circuit being configured to determine during the enrollment phase debiasing data (142), first noise reduction data (131) and first noise reduction data. The circuit being configured to during the reconstruction phase compute at least one cryptographic key from first corrected bits and second corrected bits.

This application is the U.S. national phase of International ApplicationNo. PCT/EP2018/066437 filed Jun. 20, 2018 which designated the U.S. andclaims priority to EP Patent Application No. 17180490.9 filed Jul. 10,2017, the entire contents of each of which are hereby incorporated byreference.

FIELD OF THE INVENTION

An electronic cryptographic device arranged to determine a cryptographickey, an electronic enrollment method arranged to enroll a device forlater determining of a cryptographic key, an electronic reconstructionmethod arranged to determine a cryptographic key, and a computerreadable medium.

BACKGROUND

A physical unclonable function exploits manufacturing variations toderive a digital identifier. The digital identifier is thus tied to aphysical medium. Because the physical unclonable function depends onrandom process variation, it is easy to create a PUF but it is veryhard, if not downright impossible, to create a PUF which would give riseto a particular predetermined identifier. The manufacturing variationslead to different physical characteristics of the memory element. Forexample, the physical characteristics may include: dopingconcentrations, oxide thickness, channel lengths, structural width (e.g.of a metal layer), parasitics (e.g. resistance, capacitance). When adigital circuit design is manufactured multiple times, these physicalcharacteristics will vary slightly and together they will cause thebehavior of an IC element, e.g., a memory element, to behave differentlyin some situations. For example, the start-up behavior is determined bymanufacturing variations in the physical characteristics.

The fact that PUFs produce device-intrinsic and unpredictable responsesmake them a very suitable candidate to generate cryptographic keys from.In contrast to traditional non-volatile key storages, a PUF-based key isnot stored in digital format, but stems from small random deviations inthe PUF's physical structure. Moreover, the generation of the key itselfdoes not depend on externally provided randomness, which may be of lowquality, but uses the high-entropy intrinsic randomness of the deviceitself. The combination of these factors can lead to highly securesolutions for cryptographic key storage.

Using a PUF, the need for secure memory to store a key may becircumvented. A PUF furthermore provides natural protection againstmalicious attempts to obtain the cryptographic key through reverseengineering, since damage which could be inflicted to the PUF during theattempt likely changes the digital identifier. Preferably, the digitalidentifier is unique for the electronic device wherein the physicalunclonable function is embedded.

For example, it has been observed that the startup behavior of somememory elements, demonstrate PUF like behavior. When such memory ispowered-up, it tends to contain content, i.e., comprise a sequence ofdata values, which depends on the at least partially random physicalcharacteristics of the components, e.g., gates or transistors, whichmake up the memory, e.g., their physical arrangement relative to eachother. If the memory is powered-up multiple times, it would contain, upto a large percentage, the same content.

A PUF provides unpredictable and device-unique responses, yet due totheir physical origin, these may be subject to measurement noise, andenvironmental influences. Cryptographic keys on the other hand need tobe reliable and of full entropy. To bridge this gap, some amount ofpost-processing on the PUF responses is required. One way to addressnoise is the use of so-called fuzzy extractors. A fuzzy extractor isable to transform a ‘noisy’ random value into a reliable key. An errorcorrection procedure can be used in this process to correct for thesefluctuations, and make sure an identical digital identifier is derived,each time the PUF is used. The error correction procedure uses so-calledhelper data. Helper data is also called noise reduction data.

A fuzzy extractor may comprise two stages. In an initial enrollmentstage, a cryptographic key is derived from the PUF response. In theenrollment process, helper data or noise reduction data for the PUFresponse is produced. Later on, e.g., in the field, the reconstructionstage reevaluates the PUF response and uses the noise-reduction datafrom the enrollment stage to reconstruct the same key. Thenoise-reduction data hence needs to be stored in between the enrollmentand reconstruction stages. The reconstruction stage is sometimes reveredto as the use-phase.

A desirable property of a fuzzy extractor in this respect is that thenoise-reduction data contains no information about the key which isderived. In other words, the noise-reduction data contains no sensitiveinformation and cannot be used to attack the generated key. As a result,the noise-reduction data can be stored and communicated publicly anddoes not need shielding from adversaries as a direct storage of the keywould need.

The operation of a fuzzy extractor may be based on the use of an errorcorrecting code. Typically, the error correcting code is a block codeand is linear, e.g., a linear error correcting block code. Duringenrollment, the fuzzy extractor calculates noise-reduction data for thePUF response, e.g., by calculating a number of parity relations on thePUF response bits and disclosing these relations in the noise-reductiondata. Noise reduction data may be computed, e.g., by calculating thedifference between one or more code words and the PUF response. Thistype of noise reduction data is sometimes referred to as a code wordoffset.

It was found by the applicant that the information leakage about the keythrough the noise-reduction data is non-zero if the PUF has a high bias.In fact, if the PUF has very high bias the noise-reduction data may evenreveal sufficient information about the key to allow completereconstruction of the key by an attacker.

Solutions to the problem of potential full entropy loss in situations ofhigh bias are disclosed a publication “Secure key generation from biasedPUFs” (See Cryptology ePrint Archive: Report 2015/583, included hereinby reference). A shorter version of this paper was also accepted forpublication at CHES-2015. According to this article, a solution may beobtained by debiasing a PUF. For example, during enrollment, bias may bereduced by marking bits in the first noisy bit string as retained ordiscarded. A key is then derived only from the retained bits. As theretained have a lower bias than the entire PUF response, the problem ofentropy loss through PUF bias is reduced.

Unfortunately, the solutions presented in the above paper still havesome drawbacks.

First of all, the solutions presented discard a large number of bits toobtain a less biased substring of a PUF response. In the straightforwardapproaches about 50% of the bits in a PUF response are discarded for anunbiased PUF. For a biased PUF the number of discarded bits would beeven higher. Recursive application in some of the more refinedapproaches can reduce this number somewhat, at the costs of a morecomplicated system. Yet even in those cases, a larger number of bitsremain unused. This is problematic, especially in low-resource systemswhere memory, e.g., SRAM based PUFs, is at a premium.

Second not all the known approaches can be enrolled multiple times.Repeated enrollment is a potential security risk in PUF based systems.If an attacker can force a system to return to an uninitialized stateand repeat the enrollment procedure, he may obtain new noise reductiondata. Combining the information from the original noise reduction dataand the new noise reduction data may allow an attacker to learn moreabout the PUF response. It is therefore desirable that an enrollmentprocedure can withstand repeated enrolments. Unfortunately, therecursive approaches mentioned above cannot be combined with the schemesthat can resist multiple enrollments.

In other words, traditional helper data uses all PUF entropy, butsuffers from reduced entropy due to leakage and becomes insecure whenthe PUF is biased, up to the point that no entropy is remaining.Different forms of debiasing maintain entropy under bias, even fullentropy, but require that a significant part of the PUF entropy isdiscarded: more than twice the PUF bits are needed. Both approaches havea big downside, one requires significantly more PUF resources, the othercan be broken completely when enough bias is present.

There is therefore a desire for a PUF based system in which these andother problems are addressed. Reference is made to International PatentApplication PCT/EP2015/078454, published with number WO2016102164(included herein by reference) which also discloses cryptographic keyproduction from biased PUFs.

SUMMARY OF THE INVENTION

An electronic cryptographic device is provided arranged to determine acryptographic key. The cryptographic device is arranged for anenrollment phase and a later reconstruction phase. The cryptographicdevice comprises

-   -   a physically unclonable function arranged to produce a first        noisy bit string during the enrollment phase and a second noisy        bit string during the reconstruction phase, and    -   a processor circuit configured to        -   determine during the enrollment phase debiasing data from            the first noisy bit string, the debiasing data marking a            first part of the first noisy bit string as low bias            susceptible, and marking bits in a second part of the first            noisy bit string as high bias susceptible,        -   determine during the enrollment phase a first noise            reduction data for the first part, and a second noise            reduction data for the second part, noise reduction data            allowing later correction during the reconstruction phase of            differences between the second noisy bit string and the            first noisy bit string,        -   identify during the reconstruction phase a first part and a            second part in the second noisy bit string based on the            debiasing data,        -   perform a first correction of differences between the first            part of the second noisy bit string and the first part of            the first noisy bit string based on the first noise            reduction data thus obtaining first corrected bits, and            perform a second correction of differences between the            second part of the second noisy bit string and the second            part of the first noisy bit string based on the second noise            reduction data thus obtaining second corrected bits, wherein            the first correction and second correction are independent            from each other,        -   compute at least one cryptographic key from the first            corrected bits and the second corrected bits.

The cryptographic device produces acceptable results both in case ofnormal bias and in case of higher bias. In case normal bias is present,entropy loss through noise reduction data is small, and both the firstand second corrected bits are high in entropy. In case higher bias ispresent in the PUF output the entropy loss in the first corrected bitsis reduced even if entropy loss in the second corrected bits may besevere. Thus, keys are generated without a large increase in PUFresources, but also without the risk of being completely broken whenenough bias is present.

The cryptographic key may be used in a number of cryptographicprotocols, including encrypting or decrypting information using thecryptographic key, electronic signing of information using thecryptographic key, etc. Cryptographic keys derived from the PUF may besymmetric or asymmetric keys. For example, public/private key pair maybe derived from the PUF after which the public key may be exported outof the device. Embodiments of the device and method described in theclaims may be applied in a wide range of practical applications. Suchapplications include: banking card, sim cards, smart cards for pay perview, ID cards, etc.

A method according to the invention may be implemented on a computer asa computer implemented method, or in dedicated hardware, or in acombination of both. Executable code for a method according to theinvention may be stored on a computer program product. Examples ofcomputer program products include memory devices, optical storagedevices, integrated circuits, servers, online software, etc. Preferably,the computer program product comprises non-transitory program codestored on a computer readable medium for performing a method accordingto the invention when said program product is executed on a computer.

In a preferred embodiment, the computer program comprises computerprogram code adapted to perform all the steps of a method according tothe invention when the computer program is run on a computer.Preferably, the computer program is embodied on a computer readablemedium.

Another aspect of the invention provides a method of making the computerprogram available for downloading. This aspect is used when the computerprogram is uploaded into, e.g., Apple's App Store, Google's Play Store,or Microsoft's Windows Store, and when the computer program is availablefor downloading from such a store.

BRIEF DESCRIPTION OF THE DRAWINGS

Further details, aspects, and embodiments of the invention will bedescribed, by way of example only, with reference to the drawings.Elements in the figures are illustrated for simplicity and clarity andhave not necessarily been drawn to scale. In the Figures, elements whichcorrespond to elements already described may have the same referencenumerals. In the drawings,

FIG. 1 schematically shows an example of an embodiment of acryptographic device,

FIGS. 2a-2d schematically show examples of computing at least onecryptographic key from first corrected bits and second corrected bits,

FIG. 3 schematically show examples of enrollment,

FIG. 4 schematically show examples of reconstruction,

FIG. 5 schematically shows an example of an embodiment of an electronicenrollment method 600,

FIG. 6 schematically shows an example of an embodiment of an electronicreconstruction method 700,

FIG. 7a schematically shows a computer readable medium having a writablepart comprising a computer program according to an embodiment,

FIG. 7b schematically shows a representation of a processor systemaccording to an embodiment.

List of Reference Numerals, in FIGS. 1-2 d

-   100 an electronic cryptographic device-   110 a physically unclonable function (PUF)-   112 a first noisy bit string-   114 a second noisy bit string-   120 a debiasing unit-   121 a first low bias susceptible part of the first noisy bit string-   122 a second high bias susceptible part of the first noisy bit    string-   130 a noise-reduction unit-   131 first noise reduction data-   132 second noise reduction data-   140 a storage-   142 debiasing data-   144 noise-reduction data-   150 a key reconstruction unit-   151 a first part of the second noisy bit string-   152 a second part of the second noisy bit string-   160 a normalizer-   161 one or more noisy first code words-   162 one or more noisy second code words-   170 an error corrector-   171 first corrected bits-   172 second corrected bits-   180 a key derivation unit-   181-187 a cryptographic key

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

While this invention is susceptible of embodiment in many differentforms, there are shown in the drawings and will herein be described indetail one or more specific embodiments, with the understanding that thepresent disclosure is to be considered as exemplary of the principles ofthe invention and not intended to limit the invention to the specificembodiments shown and described.

In the following, for the sake of understanding, elements of embodimentsare described in operation. However, it will be apparent that therespective elements are arranged to perform the functions beingdescribed as performed by them.

Further, the invention is not limited to the embodiments, and theinvention lies in each and every novel feature or combination offeatures described herein or recited in mutually different dependentclaims.

FIG. 1 schematically shows an example of an embodiment of acryptographic device 100.

Device 100 comprises a so-called physically unclonable function 110,usually referred to as a PUF. Device 100 is arranged to determine acryptographic key. The cryptographic device is arranged for anenrollment phase and a later reconstruction phase. PUF 110 is arrangedto produce a first noisy bit string 112 during the enrollment phase anda second noisy bit string 114 during the reconstruction phase. Duringthe reconstruction phase, which may be repeated multiple times, the samecryptographic key is produced. During the enrollment phase, data may beproduced which enables the repeated identical production of thecryptographic key and/or reduce bias in the PUF.

Determining a key from a PUF is implemented in a processor circuit,examples of which are shown below. FIG. 1 shows functional units thatmay be functional units of the processor circuit. For example, FIG. 1may be used as a blueprint of a possible functional organization of theprocessor circuit. The processor circuit is not shown separate from theunits in FIG. 1. For example, the functional units shown in FIG. 1 mayalso be wholly or partially be implemented in computer instructions thatare stored at the cryptographic device and are executable by amicroprocessor of the cryptographic device. In hybrid embodiments,functional units are implemented partially in hardware, e.g., ascoprocessors, e.g., crypto coprocessors, and partially in softwarestored and executed on the cryptographic device.

The amount of change between subsequently produced noisy bit stringsdiffers between different types of PUF; depending on the amount ofchange an error correcting code may be selected to correct for it. Thenoisy bit string is stable enough and long enough to produce acryptographic key. The length of the noisy bit string of the PUF may bechosen with respect to desired key length, the error percentage of thePUF and/or the bias level of the PUF, etc.

PUF 110 may require a power-cycle, e.g., a power-down followed by apower-up to produce the noisy bit string again. The power-up signal maybe regarded as a challenge. In device 100, PUF 110 produces the noisybit string at least twice. Once during the enrollment-phase, PUF 110produces a first noisy bit string 112. Later during the use-phase PUF110 produces a second noisy bit string 114. The first and second noisybit strings are sufficiently close to each other, e.g., the hammingweight of their difference is less than a threshold.

PUFs are random functions bound to a physical device in such a way thatit is computationally infeasible to predict the output of the functionwithout actually evaluating it using the physical device. Furthermore,as the PUF is realized by a physical system it is hard to clone.Physical systems that are produced by a production process that is notfully controlled (i.e. that contains some randomness) turn out to begood candidates for PUFs. In an embodiment, PUF 110 and thuscryptographic device 100 may be uniquely identified based on theresponse provided by PUF 110, and the key derived therefrom. The key maybe used as an identifier, identifying the device.

The PUF's physical system is designed such that it interacts in acomplicated way with stimuli and leads to unique but unpredictableresponses. The stimuli of a PUF are referred to as the challenge. SomePUF allow a larger range of different challenges, producing differentresponses. A PUF challenge and the corresponding response are togethercalled a Challenge-Response-Pair. However, a PUF may also have a singlechallenge. PUF 110 may be a single-challenge PUF. PUF 110 may also be amultiple-challenge PUF. In the latter case, PUF 110 is challenged withthe same challenge or set of challenges when producing the noisy bitstring, in particular the first and second noisy bit string.

A suitable source of PUFs are formed by an electronic volatile memorythat contains, upon power-up, a response pattern of power-up valuesuseful for identification of the memory, the response pattern dependingon physical characteristics of the memory elements.

One known example of a PUF used to uniquely identify a device is theso-called SRAM PUF, which is based on the fact that, when an SRAM cellis started-up it starts up in a random state due to variations in thethreshold voltages of the transistors, which, in turn, are due to dopingvariations. When this is done multiple times, each cell will start up inthe same state most of the time. These PUFs may be realized on anydevice having SRAM memory on board.

Any memory showing a random start-up behavior which is sufficientlystable for identifying the memory is called a challengeable memory. Asthe start-up behavior is random, two different memories will have alarge difference in their start-up memory pattern; as the start-upbehavior is stable two start-up memory patterns of the same memory willhave a small difference. Examples of such memories are SRAM memory cellsas mentioned but also memory elements like flip-flops. Actually, anytype of volatile memory may be used that comprises feedback loops.

A second kind of SRAM based PUFs can be constructed with Dual Port RAM.By writing on both ports at the same time different information, thememory cell is brought into an undefined state and shows a PUF-likebehavior. This kind of PUF is described in more detail in WO2009024913.Other so-called Intrinsic PUFs are based on delay phenomena, see, e.g.,US20030204743. A PUF may be constructed by simulating an SRAM memorycell on an FPGA, e.g., by cross-coupled invertors or latches, theso-called butterfly PUF see European patent EP2191410 B1 andWO2011018414A2. PUF 110 may be a physical unclonable function comprisinga plurality of bus-keepers, e.g., as described in WO2012069545.

Device 100 comprises a debiasing unit 120. Debiasing unit 120 isarranged to determine during the enrollment phase debiasing data 142from the first noisy bit string. The debiasing data marks a first part121 of the first noisy bit string 112 as low bias susceptible, and marksa second part 122 of the first noisy bit string (112) as high biassusceptible. For example, first part 121 has a lower bias compared tostring 112. First part 121 may even be unbiased. For example, the bitsin a first part 121 of the first noisy bit string 112 may be marked aslow bias susceptible, if they have a lower bias, or even less or equalbias, than the bits in the second part 122 of the first noisy bit string112, which can then be regarded as high bias susceptible. For example,the debiasing data may mark the first part 121 and/or the second part122 by marking, e.g. identifying or selecting, their bits.

In this application bias refers to the situation in which one of the 1or 0 bits are more likely than the other one of the 1 or 0 bits. Forexample, bias of a PUF could be defined as the absolute differencebetween the probability of producing a 1 bit and the probability ofproducing a 0 bit. Bias could also be defined as the maximum of theprobability of a 1 bit and the probability of a 0 bit. Bias may bedetermined for a certain bit location by comparing multiple devices.Typically, bias is uniform for larger portions of bit locations. Forsome PUFs, especially memory based PUF there may be some variation inbias across the memory. For example, bias can vary across a memory, butbe constant for larger zones; for example, the first and second half ofthe memory may each have constant bias but differ from each other. Biasmay also vary locally, for example, some memories show a difference inbias for even and odd bit locations.

A PUF which has a low bias will, at least on average produce a bitstring, in which the absolute difference between the fraction of 1 bitsand the fraction of 0 bits is small. The fraction may be taken as thenumber of 1 or 0 bits respectively, divided by the length of the string.

The debiasing data is selected so that the first part of outputs of PUF110 after debiasing have lower bias than the immediate responses of PUF110. In an embodiment, the debiasing unit 120 is arranged so that theabsolute difference between the fraction of 1 bits and the fraction of 0bits among the bits of the first bit string marked by the debiasinginformation as retained is smaller than among the first noisy bitstring. In an embodiment, the debiasing unit 120 may be arranged toselect the first part so that the absolute difference between thefraction of 1 bits and the fraction of 0 bits among the bits of thefirst bit string marked by the debiasing information as retained, iszero.

Note that lower or higher bias susceptibility is a property of thecollection of selected bits. Even if individual bits may share the samesusceptibility per se, by combining suitable combinations of 1 and 0bits, an overall lower bias susceptibility is achieved.

In a simpler embodiment, the debiasing unit may be arranged with apredetermined number k, less than the bit length of the PUF responses.The number is chosen so that, taking account of bias, PUF 110, will havea high probability to have at least the number k 0 bits and at least k 1bits. In fact, for any practical bias, this probability may be arbitraryhigh, assuming the bit length of the PUF responses may be takensufficiently high.

The debiasing unit may be arranged to select the first part by randomlyselecting k 0 bits and k 1 bits from among the bits in the first PUFresponse 112 as retained, discarding all others. Debiasing data 142indicates which bits were marked as retained and discarded during theenrollment phase. This information may be recorded in a number of ways.For example, debiasing data 142 may comprise a bit mask to indicate theretained bits. The retained bits may later be selected with, say, abit-wise ‘and’ operation. For example, debiasing data 142 may include alist of indices pointing to selected bits.

This method of randomly selecting k 0 bits and k 1 bits works to reduceor even remove bias still suffers from a few drawbacks. First of all,since exactly k 0's and 1's are selected, the unpredictability (i.e.entropy) is effectively a little reduced, because an attacker knows thatthere are exactly k 0's and 1's; in a truly random string that would notnecessarily be the same number of 0 and 1 bits. Furthermore, one may usea stochastic method for randomly selecting 0's and 1's. However, anindependent randomness source may not be available. Some of theembodiments below do not require independent randomness sources but usethe inherent randomness in the bit strings for this.

Finally, if the bias is not uniform, some of the non-uniformity maysurvive in the “debiased” bit string. For example, if there is alocation-dependent bias in the PUF, say a first portion of the PUFresponse has a different bias as a second portion of the PUF response(e.g. one half of responses is biased to 0, the other half to 1), thenthis method might not be able to remove that, i.e. the “debiased” bitstring would still have the same location-based bias. Embodiments shownbelow do not suffer from this weakness since they debias locally.

After the first part of output 112 has been selected the second part maybe defined as the rest of PUF response 112. Typically, only a first partand a second part is used, but in an embodiment, there may be more thantwo parts. For example, a first part may have the lowest bias, a secondpart a lower bias and the third part the highest bias. The debiasingdata indicates which bits in the first nosy bit string 112 are part ofthe first part, second part, etc. In this case, an independent secretmay be generated for each part, and noise reduction data computedtherefrom for each part, during enrollment.

Debiasing data may for example comprise indices that indicate one ormore bits in first noisy bit string. For example, an index in a stringmay be a location in a bit string, e.g., an address according to somebit addressing scheme. For example, bits may be numbered consecutively,e.g., from LSB to MSB or vice versa, etc. Debiasing data may comprise abit-mask, that identifies bits in the various parts, etc. The debiasingdata is determined from the bit content of first noisy bit string 112,however once determined the debiasing data addresses the bits in thevarious parts independent of the content of a bit string. This propertyallows the debiasing data to be applied later to a second noisy bitstring.

A particular advantageous way to select the first part is to view thefirst noisy bit string as a sequence of bit-pairs. The debiasing dataassigns some of the bit-pairs to the first part and some to the secondpart.

For example, the first and second noisy bit string may be partitioned ina first and second sequence of bit pairs respectively. Debiasing unit120 may be configured to identify bits in unequal bit pairs in the firstsequence of bit pairs as low bias susceptible, and to identify bits inequal bit pairs in the first sequence of bit pairs as high biassusceptible. Even if the probability of a one bit is p≠½, theprobability of the unequal pairs 01 and 10 is the same p(1−p). Thismethod will be expanded upon further below with reference to FIGS. 3 and4.

By selecting only unequal pairs for the first part it is guaranteed thatthe first part will have zero bias. It could happen, although it isfairly unlikely, that the second part also happens to have zero bias,e.g., if the number 00 equal pairs is the same as the number 11 equalpairs. This is not a problem, in this case the low bias susceptiblefirst part has less-or-equal bias than the high bias susceptible secondpart.

Device 101 comprises a noise-reduction unit 130. Noise-reduction unit130 is arranged to determine during the enrollment phase a first noisereduction data 131 for the first part, and a second noise reduction data132 for the second part. Noise reduction data allows later correctionduring the reconstruction phase of differences between the second noisybit string and the first noisy bit string. Noise reduction data isdetermined during the enrollment phase, i.e., before the reconstructionphase.

Optionally, device 100 comprises a storage 140, say a non-volatilewritable memory, say a Flash memory, for storing debiasing data 142 andnoise-reduction data 144. Noise-reduction data 144 comprises both thefirst noise reduction data 131 for the first part, and the second noisereduction data 132 for the second part. Instead of a storage 140comprised in device 100, an embodiment stores debiasing data 142 andnoise-reduction data 144 externally. Debiasing data 142 andnoise-reduction data 144 may be combined into a single bit string.

One way to determine noise reduction data is, the so-called Code-Offsetmethod based on error-correcting codes. Correction using such noisereduction data may use a combination of a normalizer and an errorcorrector, and is sometimes referred to as a fuzzy extractor. Keyderivation may also be included in the fuzzy extractor.

For example, in the enrollment stage, noise reduction unit 130 mayselect one or more first code words from an error correcting code andone or more second code words from an error correcting code. Typically,the first code words and second code words are selected from the sameerror correcting code, but this is not needed; they may instead beselected from a distinct first error correcting code and a second errorcorrecting code respectively.

The error correcting code may be regarded as a set of bit strings (codewords) that have a positive minimum hamming distance. The errorcorrecting code may have an encoding algorithm to map messages into oneor more code words from the error correcting codes, a decoding algorithmto perform the reverse mapping and a correcting algorithm that mapsnoisy code words to the closest actual code words. The decoding andcorrecting algorithm may be combined if desired. In error correcting adistinction is made between errors and erasures. There is an error inthe noisy bit string if a bit differs from the corresponding bit in theclosest code word. In case of an error the position of the error isunknown. There is an erasure if the value of a particular bit in a noisycode word is unknown. Error correcting codes can correct both errors anderasures, but since less information is lost, error correcting codes cantypically correct more erasures than errors.

One or more random code words may, e.g., be selected from a code, e.g.,by encoding a randomly selected seed. Random code words may also bedirectly selected, etc.

Noise reduction unit 130 may be arranged to determine the first noisereduction data by computing the offset, e.g., a difference, e.g., anXOR, between corresponding bits in the first part of the first noisy bitstring and a corresponding bit in the one or more first code words.Likewise, noise reduction unit 130 may be arranged to determine thesecond noise reduction data by computing the offset betweencorresponding bits in the second part of the first noisy bit string andthe corresponding bits in the one or more second code words. The firstnoisy bit string may be padded or shortened if needed to make it amultiple of the code word size.

For example, the offset may be computed between bits in the first orsecond part of the first noisy bit string and the bits in the one ormore first or second code words that have the same index in theserespective strings. In an embodiment, the one or more first code wordsand the one or more second code words have the same length. Preferably,the one or more first code words are as long or longer as the firstnoisy bit string and so are the one or more second code words. In thiscase, each bit in the first noisy bit string corresponds to a bit in theone or more first code words and to a bit in the one or more second codewords, e.g., the bit with the same index, e.g., bit address, in thestring.

It is advantageous to compute the offset between the first or secondpart on the one hand, and one or more first or second code words thatare as long as the entire first noisy bit string, and not just as longas the first or second part thereof. For example, noisy reduction unit130 may be arranged to determine the offsets between the first noisy bitstring and the one or more first code words only for the bits in thefirst part of the first noisy bit string, and to determine the offsetsbetween the first noisy bit string and the one or more second codewords, but only for the bits in the second part of the first noisy bitstring. When computing the offset between such one or more first codewords and the first part, noise reduction unit 130 may in effect computethe offset between the entire first noisy bit string 112 and the one ormore first code words, but ignore those bits in the first noisy bitstring 112 that are in the first part. The first noise reduction data131 may be of the same length as the first noisy bit string, andcomprise an offset for the bits corresponding to the first part, andindicate an erasure, e.g., an erasure symbol or an erasure string, etc.,for bits corresponding to the second part. The second noise reductiondata may be computed likewise, with the roles first and second reversed.

In an embodiment, the first noise reduction data has an offset for eachbit in the first part of PUF response 112 and an erasure for each bit inthe second part, and vice versa for the second noise reduction data.Computing noise reduction data for the whole of the first PUF response112, but with bits in the second or first part ignored as erasuresleading to first or second noise reduction data with erasures in it,leads to better results than just computing noise reduction data foronly the bits in the first part or second part. For example, one coulddo the latter by forming first and second derived PUF responses byconcatenating the bits in the first and second part respectively, andnext compute noise reduction data for the first and second derived PUFresponses.

It is important that high-bias bits and low-bias bits are not used inthe same error correcting code word. Due to the nature off errorcorrection codes, knowing part of the code word allows you to fill in amissing part. If you leak low-bias bits of a code word, this will allowyou to fill in (part of) the high-bias bits. But, if you explicitlyseparate the code words, low-bias bits can only leak low-bias bits andnot high-bias bits.

In an embodiment, the noise reduction unit 130 does not compute theoffset between a bit in the first part of the first noisy bit string anda corresponding bit in the one or more second code words, or the offsetbetween a bit in the second part of the first noisy bit string and acorresponding bit in the one or more first code words.

Computing noise reduction data for all bits in the first noisy bitstring, whether in the first part or in the second part improvesresistance against re-enrollment attacks. For example, the re-enrollmentattack requires bias to reduce the entropy of the search space. However,because the scope in which bits leak is contained (low-bias, nothigh-bias), the entropy cannot be fully reduced.

There are alternative ways to construct noise reduction data than thecode-offset method. For example, the PUF output may be regarded as thedata bits for which parity bits are computed according to an errorcorrecting code. The parity bits are stored as noise reduction data. Toreconstruct the PUF response, the same parity bits are computed for thenew PUF response and compared with the stored parity bits. From thedifference between the parity bits, the difference between the first andthe second noisy PUF response bits can be decoded, and the first PUFresponse can be reconstructed by correcting the second PUF responseaccordingly. This construction is sometimes referred to assyndrome-construction helper data. This may be combined with debiasingas indicated.

Cryptographic device 100 further comprises a key reconstruction unit150. In embodiments, a cryptographic device 100 need contain onlyenrollments units, e.g., debiasing unit 120, noise reduction unit 130 orreconstruction units, e.g., key reconstruction unit 150. For example, ifcryptographic device 100 is software based it could be configured todelete the software for enrollment units after enrollment is complete.For example, cryptographic device 100 could download softwareimplementing reconstruction unit 150 after enrollment is complete, e.g.,replacing enrollment units. Removing enrollment units after enrollmentis complete has the advantage that re-enrollment attacks are moredifficult to execute. In FIG. 1 an embodiment is illustrated in whichenrollment and reconstruction units are present at the same time, eventhough they are used in different phases.

Key reconstruction unit 150 is arranged to determine a cryptographic keyfrom bits in the second noisy bit string using the debiasing and noisereduction data. Key reconstruction unit 150 is configured to obtain fromPUF 110 a second noisy bit string 114. Second noisy bit string 114 willbe close but not (most likely) identical to first noisy bit string 110.With an increased noise level of PUF 110 the minimum distance of theerror correcting codes is also increased until a level of reliability isachieved that is compatible with the intended application.

Key reconstruction unit 150 is configured to identify during thereconstruction phase a first part 151 and a second part 152 in thesecond noisy bit string 114 based on the debiasing data. For example,key reconstruction unit 150 may be arranged to select from second PUFresponse 114 the bits marked as in the first part and to select the bitsmarked as in the second part by debiasing data 142. In this way, a firstpart of the second noisy bit string 151 and a second part of the secondnoisy bit string 152 is obtained. In an embodiment, strings 151 and 152retain the bits from second noisy bit string 114 that are in the firstrespectively second part and marks as an erasure the bits that are inthe second respectively the first part.

Key reconstruction unit 150 is configured to perform two corrections: afirst correction of differences between the first part of the secondnoisy bit string and the first part of the first noisy bit string basedon the first noise reduction data, and a second correction ofdifferences between the second part of the second noisy bit string andthe second part of the first noisy bit string based on the second noisereduction data. The correction uses a type of error correctionscompatible with the chosen type of noise reduction data. Below we willassume that the code-word offset method is used, but different types ofnoise-reduction data are possible. Through the corrections, firstcorrected bits 171 and second corrected bits 172 are obtained. There areat least three options for corrected bits: they may be first or secondcode words selected during enrollment, they may be decoded first orsecond code words selected during enrollment after decoding, and theymay be bits of PUF response 112. Using code words or decoded code wordsis preferred, as it seems to be more efficient. However, in differentuse-cases other trade-offs may be more efficient.

The amount of entropy in a code word and in a decoded code word is thesame, so for deriving a key it does not much matter which one is taken.One may skip the decoding step and directly compute the key from thecode words. For implementation, it may be easier to decode, e.g., if aconcatenated code is used which has two or more correcting stages. Inthe latter case a key is directly computed from the corrected codewords.

The first correction and second correction are independent from eachother, and could e.g., be performed in parallel. In particular, thesecond correction of high bias susceptible bits does not influence thecorrection of low bias susceptible bits. Finally, at least onecryptographic key is derived from the first corrected bits and thesecond corrected bits. Below multiple options are discussed withreference to FIG. 2a -2 d.

In case the code word-offset method is used, device 100 may comprisenormalizer 160. Normalizer 160 is configured to obtain one or more noisyfirst code words 161, by applying the first noise reduction data 131 tobits in the first part 151 of the second noisy bit string, and markingas erasures-bits, the bits in the one or more noisy first code wordscorresponding to bits in the second part of the second noisy bit string.Likewise, normalizer 160 is configured to obtain one or more noisysecond code words 162, by applying the second noise reduction data 132to bits in the second part 152 of the second noisy bit string 114. Forexample, the noise reduction data may be applied by adding, e.g.,XOR-ing, the noise reduction data to the relevant bits. Bits in thewrong part of second PUF response 114 may be ignored or marked as anerasure. If erasures are used in noise reduction data, then the entirenoise reduction data can be added to the second PUF response 114, withthe proviso that an erasure plus any bit (0 or 1) equals an erasure.

The first and second noisy code words will look similar to the originalone or more first and second code words respectively since they areobtained from a second PUF response 114 that is similar to the first PUFresponse 112. Differences may be caused by two sources: some bits may bewrong due to errors caused by the PUF, some bits may be marked as anerasure caused by the debiasing data.

Key reconstruction unit 150 comprises an error corrector 170 to correctthe one or more first noisy code words 161, and to correct the one ormore second noisy code words 162. Error corrector 170 is configured tocorrect both errors and erasures. In general, a linear block code cancorrect t erasures and e errors provided that 2t+e<d, wherein d is theminimum distance of the error correcting code. Based on the error rateand bias of PUF 110, a value of d can be computed so that the aboveinequality holds with a sufficiently high probability. The error rateand bias can be measured empirically by repeatedly measuring PUF outputsfrom PUF 110, or from a batch of similar PUFs, etc. A suitable value ofd could also be obtained experimentally; e.g., increasing d until thesystem is sufficiently reliable. Differences between the first andsecond PUF response are imported in the noisy code words by applying thenoise reduction date and corrected in the latter by error corrector 170.

Device 100 may comprise a key derivation unit 180. Key derivationderives a cryptographic key from the outputs of error corrector 170. Forexample, key derivation unit 180 may apply a key derivation function toone or more corrected code words or to decoded code words, etc.Alternatively, key derivation unit 180 may apply a key derivationfunction (KDF) to the decoding of one or more corrected code words, orto the corrected PUF response bits, or to decoded code words Examples ofsuch key derivation functions include KDF1, defined in IEEE Std1363-2000, NIST-SP800-108 and 56-C, and similar functions in ANSI X9.42,etc. The key derivation function may be a hash function. Furtherexamples are discussed with reference to FIGS. 2a -2 d.

Note that key reconstruction unit 150 does not perform a new debiasingoperation, which could result in a new selection which may be quitedifferent from the original selection. Instead, reconstruction unit 150applies the debiasing data obtained during the enrollment phase. Forexample, the debiasing data may be stored, e.g., locally at device 100,or externally, say in a server which may be connectable to device 100,say over an electronic data connection.

Suitable error correcting codes may be obtained from a concatenated codeconstruction. In such a construction, the bits of one or more code wordsa from an error correcting code A (the outer code) are encoded, e.g., asif they were messages, according to an error correcting code B (theinner code). For example, noise-reduction unit 130 may be arranged toselect the one or more first or second code words from a first or seconderror correcting code by encoding one or more further code words from afurther error correcting code. The inner code of the error correctingcode is advantageously a repetition code. Such a code has the advantagethat it has a very high minimum distance and very fast error correction,both for errors and erasures. The outer code may have a lower minimumdistance and higher error correction complexity, e.g., a Reed-Solomoncode. An example of such a code construction is given in WO2016/102164,e.g., with respect to FIGS. 6c and 6d . That patent application alsoprovides how such codes may be decoded. In an embodiment, the inner codehas code words of even length.

Device 100 may comprise a communication interface, e.g., an inputinterface and/or an output interface. For example, the communicationinterface may be configured to receive an encrypted message, which,e.g., device 100 may decrypt using a key derived from PUF 110, or anauthentication request, to which device 100 may respond using a keyderived from PUF 110, etc. For example, device 100 may send a messagethat is encrypted and/or authenticated using a key derived from PUF 110.The communication interfaces may be selected from various alternatives.For example, the communication interface may be a network interface to alocal or wide area network, e.g., the Internet, a storage interface toan internal or external data storage, a keyboard, an applicationinterface (API), etc.

Device 100 may have a user interface, which may include well-knownelements such as one or more buttons, a keyboard, display, and/or atouch screen, etc. The user interface may be arranged for accommodatinguser interaction for performing protected communication, e.g., protectedfor confidentiality and/or integrity.

Storage 140 may be implemented as an electronic memory, say a flashmemory, or magnetic memory, say hard disk or the like. Storage 140 maycomprise multiple discrete memories together making up storage 140.Storage 140 may also be a temporary memory, say a RAM. In the case of atemporary storage 140, storage 140 contains some means to obtain databefore use, say by obtaining them over an optional network connection(not separately shown).

Typically, the device 100 comprises a microprocessor (not separatelyshown in FIG. 1) which executes appropriate software stored at device100; for example, that software may have been downloaded and/or storedin a corresponding memory, e.g., a volatile memory such as RAM or anon-volatile memory such as Flash (not separately shown). Alternatively,device 100 may, in whole or in part, be implemented in programmablelogic, e.g., as field-programmable gate array (FPGA). Device 100 may beimplemented, in whole or in part, as a so-called application-specificintegrated circuit (ASIC), i.e. an integrated circuit (IC) customizedfor their particular use. For example, the circuits may be implementedin CMOS, e.g., using a hardware description language such as Verilog,VHDL etc.

In an embodiment, cryptographic device 100 comprises a debiasing unitcircuit, a noise-reduction unit circuit, a storage circuit, a keyreconstruction unit circuit, a normalizer circuit, an error correctorcircuit, and a key derivation unit circuit. The circuits implement thecorresponding units described herein. The circuits may be a processorcircuit and storage circuit, the processor circuit executinginstructions represented electronically in the storage circuits. Thecircuits may also be, FPGA, ASIC or the like.

Embodiment may use a smaller PUFs and still have keys that havesufficient entropy even in the face of bias. For example, if the PUF isan SRAM based PUF, less SRAM is needed. For example, this may beemployed in a device with limited resources, e.g., sensor networkshaving multiple sensor Node. A sensor node comprising a cryptographicdevice, e.g., as in FIG. 1. For example, the cryptographic device can bea network node, using the derived key to communicate, e.g., with othernetwork nodes in the network.

FIGS. 2a-2d schematically show examples of computing at least onecryptographic key from first corrected bits and second corrected bits.The figures show first corrected bits 171 and second corrected bits 172.For example, first corrected bits 171 may be corrected noisy code words161, that is first corrected bits 171 may be one or more code words. Thecorrected code words may be decoded, but this is not needed. If the codewords are decoded, then first corrected bits 171 are not code words butcould be a random string, e.g., the random seed used during enrollmentto generate noise reduction data 131. The same holds for secondcorrected bits 172. A key derivation function is not strictly necessaryin the latter case, but is in any case recommended. If a key derivationfunction is used, it does not matter if the corrected code words aredecoded, and so, this step may be skipped.

FIG. 2a shows a first embodiment. As shown two cryptographic keys arederived, a first key 181 from first corrected bits 171, and a second key182 from second corrected bits 182. First key 181 is ultimately derivedfrom bits in PUF 110 that were marked as low bias susceptible duringenrollment. As a result, high bias in the PUF 110 has less impact on keyleakage through noise reduction data for key 181. In other words, theentropy in key 181 is linked to the entropy in PUF 110; even if the biasin PUF 110 is high, an ‘entropy meltdown’ in case of high bias isavoided. This may be referred as an entropy baseline. For key 182 thereis no such link. This is not to say that key 182 is necessarilyworthless. In production systems, most of the PUFs will have acceptablebias. In such a case both key 181 and key 182 will have positive entropyderived from the entropy in PUF 110. In the, hopefully rare, case wherePUF 110 has high bias could the entropy for key 182 be reduced, or evendisappear altogether. In such a situation key 181 continues to retainsome of the entropy present in PUF 110, even if key 182 has beencomprised. For example, keys 181 and 182 may be used for differentpurposes. For example, key 182 may be used for a low-securityapplication, in which protection is preferred, but not an absoluterequirement, whereas key 181 may be used for applications in whichsecurity is more paramount.

FIG. 2b shows a second embodiment. A single key 183 is derived from bothfirst corrected bits 171 and second corrected bits 172. For example,corrected bits 171 and 172 may both be inputted to a KDF. For example,corrected bits 171 and 172 may be concatenated and hashed, possiblyafter concatenation of a salt of distinguisher. Key 183 may be used fora cryptographic application. A derived key, like key 183 may be used asa master key from which keys for various applications are derived.

An advantage of key 183 is that a large part of the entropy of PUF 110is harnessed into key 183. This is considered an important advantage. Innormal situations, with acceptable bias, the entropy in key 183 will bevery high, e.g., as high as the entropy of PUF 110 allows. Inembodiments, it is possible to obtain near full entropy for a key, suchas key 183 derived from a PUF. Interestingly, in the situation that biasis high, the contribution of bits 172 will reduce even to the point ofzero entropy. In that case, the entropy loss in key 183 may be reducedbut bottoms out, as the entropy in string 171 is base lined. Embodimentsaccording to FIG. 2b combine high entropy in practical situations with aminimum or rescue entropy in case of problematic PUFs. The inventorsfound that the embodiments according to FIG. 2b are well suited tofinancial applications, such as credit cards. In such situations, a fullentropy loss would be very detrimental, even for rare cases. Yet thesystem could remain functional so long the keys have some minimalentropy even in case of higher bias. For example, it may be desired byan application that key 183 has close to 256 bits entropy. It would bemuch preferable in which the entropy occasionally drops to, say, 80 bitsentropy, than one where entropy occasionally drops to, say, 0.

Although the system of FIG. 2b uses the entire second PUF output 114 tocompute key 183, the construction of FIG. 2b should be distinguishedfrom a conventional system in which the noise reduction data is computeddirectly for the entire first PUF output 112. In the latter system, abias increase will cause entropy loss for the eventual key. Even modestout-of-spec bias could significantly reduce the entropy in the resultingkey. In an embodiment, an unbiased part of PUF 110 is harnessed tocompute a higher quality core, in this case bits 171 which protect key183 from such an entropy loss.

Of course, if the bias is extreme, e.g., a PUF response which consistsof nearly only zero's, the entropy in the PUF response will be very lowand it cannot be expected that a secure key is derived in the end. Suchsituations are however both fairly rare and easily spotted. For example,device 100 may check the PUF response with a statistical random numbertest for a minimum entropy level. For example, device 100 may verifythat neither the first part nor the second part is smaller in lengththan some percentage of the PUF response, say less than 40%. In thosecases, the key enrollment may be aborted. It is especially in situationsin which a bias increase is more modest that care should be taken not tolose too much entropy through the noise reduction data. Note that thepercentage scales with the PUF size. The entropy of the selected bitsshould, on the one hand, have enough entropy to be secure, but on theother hand contain enough information (non-erasure symbols) to allow forgood error correction. In extreme cases signal to noise ratio will be sobad that it will be practically impossible to perform error correction

FIG. 2c shows a third embodiment building on FIG. 2b . In FIG. 2c , key183 is computed as in FIG. 2b but is used as a master key. From masterkey 183, a first key 184 and a second key 185 is computed. The first andsecond key 184 and 185 have the same property as key 183, e.g.,increased resistance against entropy loss in case of increased bias ofPUF 110.

FIG. 2d shows a fourth embodiment. A first key 186 is computed from partof bits 171 and parts of the bits in 172. A second key 187 is alsocomputed from part of bits 171 and part of bits 172, but possibly otherparts. For example, bits 100-200 of bits 171 and bits 50-130 of bits 172may be inputted to a KDF to obtain key 186, and, say, bits 50-100 ofbits 171 and bits 130-200 of bits 172 to obtain key 187. An advantage ofthe construction of FIG. 2d is that more control is possible over whichkeys have more entropy than others. For example, the keys 184 and 185are related (even though in practice this relationship is highlyconvoluted due to the key derivation functions used), this can beavoided by using different parts of bits 171 and 172 for different keys.By varying the percentage of bits used from bits 171, keys can beconstructed of different security levels. For example, some keys may begenerated entirely from bits taken from bits 171, whereas other keysonly receive a smaller percentage of bits from bits 171.

FIG. 3 schematically show examples of an enrollment procedure. Theprocedures illustrated with FIG. 3 may be executed, e.g., on anembodiment such as that illustrated with FIG. 1. FIGS. 3 and 4 shows (atleast part of) strings that may occur in an implementation of enrollmentor reconstruction. In an embodiment, the strings, including the PUFresponse, may be larger, even much larger. In an embodiment, the PUFresponse comprises at least 1000 bits. Still larger may also be used,e.g., at least 2000 bits, 4000 bits, etc.

The process starts with a PUF response 412 from which pairs are formed,so that we have a sequence of bit pairs. In this case, pairs areconsecutive but this is not necessary. The equal pairs are marked instring 420 bias-susceptible (S) and unequal pairs are markedbias-unsusceptible (U). Each pair is assigned a value that identifiesthe original pair. In this example the first bit of the pair is used touniquely identify which pair was encoded. Note that PUF response 412 canbe recovered from string 420 which marks the high/low bias pairs and thevalues of the pairs.

Next the processing is split into processing the unsusceptible pairs (U)and processing the susceptible pairs (S). For the unsusceptibleprocessing the susceptible pairs are treated as erasures. For thesusceptible processing the unsusceptible pairs are treated as erasures(E). Erasures are basically placeholders that do not contribute to theprocessing, removing the values while preserving the ordering of thedata.

In both parts of the process a secret is added to form noise reductiondata. These secrets are independent of each other. These secrets can beencoded using an error correcting code and are added to the strings witherasures. In this example the value of the encoded secret is added byexclusive OR of the first bit of each pair in the secret with the valueof the (un)susceptible pair. Erasures are neutral and do not containvalues; they are therefore not influenced by this process.

String 431 shows PUF response 412 in which susceptible pairs arereplaced by erasures. The bit pairs marked U in strings 420 and 431 isthe low-bias first part of PUF response 412. String 432 are two firstcode words. In this case a repetition code of block size n=10 is used.The repetition code could also be part of a larger concatenated code,e.g., as inner code. For example, string 432 may have been obtained asthe encoding of a first secret, in this case with value (0, 1). Thefirst secret may be obtained from a random number generator. The sum ofstring 431 and the two code words 432 is shown in string 433. Note thatadding an erasure to any bit remains an erasure. Adding 11 to a U0 or U1flips it to U1 or U0, whereas adding 00 has no effect. An inner codewith the property that it can be split into pairs of equal bits such asa repetition code has the advantage that an unequal pair remains unequaland an equal pair remain equal. Although this is convenient and helps toget small combined debasing/noise reduction data, it is not necessary.String 433 can be seen as noise reduction data for the first part of PUFresponse 412. Note that string 433 in this example has the same lengthas PUF response 412.

The same process is followed for the susceptible bits. String 441 showsPUF response 412 in which unequal pairs are replaced by erasures. Thebit pairs marked S in strings 420 and 441 is the high bias susceptiblesecond part of PUF response 412. String 432 are two second code words.The second code words 442 are chosen from the same error correction codeas code words 432 but they are an encoding of a different secret. Inthis case, an encoding of the secret (1,0). String 443 shows the resultof adding the second code words 442 to string 441.

Interestingly, the two partial sets of partial noise reduction data canbe combined efficiently, filling in the erasure positions of one withthe values of the other. To illustrate this first and second noisereduction data 433 and 443 are shown directly underneath each other. Theerasures in the strings 433 and 443 are complementary and the first andsecond noise reduction data can be combined into a single noisereduction data for the first and second part. The combined noisereduction data is shown at 451. Note that bit encodings may be usedinstead of the letters S and U.

For example, it is possible to represent this noise reduction data 451efficiently using binary format. Combined noise reduction data 452 showsthe combined noise reduction data where the susceptible pairs arerepresented by a ‘0’ and the binary value and the unsusceptible pairsare represented by a ‘1’ and the binary value. Note that the combineddata 451/452 contains both the debiasing data, as the U and S valuesindicate which bits are in the first part and which in the second part,the first noise reduction data, in the form of the other bit after a U,and the second noise reduction data, in the form of the other bit afteran S. We may refer to string 451 as combined helper data. Note that thecombined bit size of the debiasing data, first noise reduction data andsecond noise reduction data equals the bit size of the first noisy bitstring.

For example, in such an advantageous packing of debiasing data, firstnoise reduction data and second noise reduction data, the debiasing datacomprises only a single bit for each pair in the first sequence of bitpairs identifying the pair as low or high bias susceptible. The otherbit in the pair may be used as noise reduction data. For example, in anembodiment

-   -   the first noise reduction data comprises a single bit for each        pair in the first part of the first noisy bit string, said bit        indicating the offset between the pair in the first part of the        first noisy bit string and a corresponding pair in the one or        more first code words.    -   the second noise reduction data comprises a single bit for each        pair in the second part of the first noisy bit string, said bit        indicating the offset between the pair in the second part of the        first noisy bit string and a corresponding pair in the one or        more second code words.

FIG. 4 schematically show examples of a reconstruction procedure. Theprocedures illustrated with FIG. 4 may be executed, e.g., on anembodiment such as that illustrated with FIG. 1. This example continuesfrom FIG. 3. Reconstruction takes place using a new noisy PUF string,e.g., a second PUF response. For reference, the original first PUFresponse obtained during enrollment is repeated in FIG. 4 with referencenumeral 412. The new second PUF response obtained during reconstructionis show with reference numeral 514. The underlined bits in the PUFresponse show the locations where it differs from the enrollment PUFstring 412. Note, that this information is not a-priori known in anactual reconstruction, and is only shown in FIG. 4 to explicate thereconstruction. For reference the combined debiasing/noise reductiondata 451 is also shown in FIG. 4. The combined helper data 451 wasproduced during enrollment, and is required to reconstruct the secretsand (if desired) the enrollment PUF response.

The combined helper data 451 is split into partial helper data for thesusceptible and the unsusceptible parts by introducing erasures again.The partial helper data is translated to a string of pairs. Theunsusceptible helper data is translated to the pairs ‘01’ and ‘10’,where the value bit represents the first bit of the pair, translating‘U0’ into ‘01’ and ‘U1’ into ‘10’. The susceptible helper data istranslated to the pairs ‘00’ and ‘11’, where the value bit representsthe first bit of the pair, translating ‘S0’ into ‘00’ and ‘S1’ into‘11’. Erasures do not result in any value.

String 521 shows the unsusceptible partial helper data, e.g., firstnoise reduction data. String 522 shows the same information but hereinthe encoding U0 and U1 have been replaced by the corresponding unequalpairs. Erasures are not shown. The first noise reduction data 522 isadded to the second PUF response 514 to obtain first noisy code words523. Note that erasures in string 521/522 result in erasures in string523. In addition to erasures, first noisy code words 523 also containserrors. Note that the second error in second PUF response 514 resultedin an error in the fifth pair of string 523; without the error in PUFresponse 514 that pair in string 523 would have been 00 instead of 10.Shown is the first noisy code words 523, e.g., the encoded first secretwith noise. Since the first secret is encoded using an error correctioncode, it can be corrected to the original secret value. For the codeused in the example the bit occurring most determines the result. Thatis repetition codes can be decoded using majority voting, ignoringerasures. More complicated codes have correspondingly more complicatederror correction algorithms. Finally, two first corrected bits 524 areobtained. Instead of the two first corrected bits also the originalfirst code words could have been obtained. If a concatenated code isused, then instead of a hard decoding to bits 524 a soft decoding couldbe used. The soft decoding could be used as a starting point to errorcorrect the outer code (not shown in FIGS. 3 and 4).

The process for error correcting the bias susceptible part is similar.Shown at 531 is the susceptible part of the combined helper data, witherasures replacing the low-bias first part. String 532 is the same buttranslated to a noise reduction data 532. In string 533 the noisereduction data has been added to PUF response 514. The result 533 showsa number of erasures and in this case 2 errors. Majority decodingcorrectly gives the encoded secret 534.

Strings 524 and 534 are first and second corrected bits and could beused to generate one or more keys. For example, the two strings could beconcatenated and hashed to generate a single high entropy key for normalbias values and which is protected against entropy loss in case of highbias.

FIG. 5 schematically shows an example of an embodiment of an electronicenrollment method 600. Method 600 enrolls a device, such as device 100,for later determining of a cryptographic key. Enrollment method 600comprises

-   -   producing 610 a first noisy bit string 112 from a physically        unclonable function PUF 110    -   determining 620 debiasing data 142 from the first noisy bit        string, the debiasing data marking a first part 121 of the first        noisy bit string 112 as low bias susceptible, and marking bits        in a second part 122 of the first noisy bit string 112 as high        bias susceptible,    -   determining 630 a first noise reduction data 131 for the first        part, and determining 640 a second noise reduction data 132 for        the second part, noise reduction data allowing later correction        during the reconstruction phase of differences between the        second noisy bit string and the first noisy bit string. Method        600 may further comprise storing the debiasing, first noise        reduction data and second noise reduction data.

FIG. 6 schematically shows an example of an embodiment of an electronicreconstruction method 700. Method 700 determines a cryptographic keybased on debiasing data, and first and second noise reduction data,e.g., as determined in an enrollment method such as method 600. Method700 comprises

-   -   producing 710 a second noisy bit string 112 from a physically        unclonable function PUF 110,    -   identifying 720 a first part 151 and a second part 152 in the        second noisy bit string 114 based on debiasing data,    -   performing 730 a first correction of differences between the        first part of the second noisy bit string and the first part of        the first noisy bit string based on the first noise reduction        data thus obtaining first corrected bits 171, and performing 740        a second correction of differences between the second part of        the second noisy bit string and the second part of the first        noisy bit string based on the second noise reduction data thus        obtaining second corrected bits 172, wherein the first        correction and second correction are independent from each        other, the debiasing data, first noise reduction data and second        noise reduction data being obtained from an enrollment method as        in claim 13, and    -   computing 750 at least one cryptographic key from the first        corrected bits and the second corrected bits, e.g., key 181 and        key 182 or key 183 or key 184 and 185 or key 186 and 187.

Method 600 and 700 may be executed after one another, e.g., in acombined enrollment and reconstruction method.

Many different ways of executing the methods are possible, as will beapparent to a person skilled in the art. For example, the order of thesteps can be varied or some steps may be executed in parallel. Moreover,in between steps other method steps may be inserted. The inserted stepsmay represent refinements of the method such as described herein, or maybe unrelated to the method. For example, elements 630 and 640 orelements 730 and 740 may be executed, at least partially, in parallel.Moreover, a given step may not have finished completely before a nextstep is started.

A method according to the invention may be executed using software,which comprises instructions for causing a processor system to performmethod 600 or 700. Software may only include those steps taken by aparticular sub-entity of the system. The software may be stored in asuitable storage medium, such as a hard disk, a floppy, a memory, anoptical disc, etc. The software may be sent as a signal along a wire, orwireless, or using a data network, e.g., the Internet. The software maybe made available for download and/or for remote usage on a server. Amethod according to the invention may be executed using a bitstreamarranged to configure programmable logic, e.g., a field-programmablegate array (FPGA), to perform the method.

It will be appreciated that the invention also extends to computerprograms, particularly computer programs on or in a carrier, adapted forputting the invention into practice. The program may be in the form ofsource code, object code, a code intermediate source, and object codesuch as partially compiled form, or in any other form suitable for usein the implementation of the method according to the invention. Anembodiment relating to a computer program product comprises computerexecutable instructions corresponding to each of the processing steps ofat least one of the methods set forth. These instructions may besubdivided into subroutines and/or be stored in one or more files thatmay be linked statically or dynamically. Another embodiment relating toa computer program product comprises computer executable instructionscorresponding to each of the means of at least one of the systems and/orproducts set forth.

FIG. 7a shows a computer readable medium 1000 having a writable part1010 comprising a computer program 1020, the computer program 1020comprising instructions for causing a processor system to perform amethod or enrollment and/or reconstruction, according to an embodiment.The computer program 1020 may be embodied on the computer readablemedium 1000 as physical marks or by means of magnetization of thecomputer readable medium 1000. However, any other suitable embodiment isconceivable as well. Furthermore, it will be appreciated that, althoughthe computer readable medium 1000 is shown here as an optical disc, thecomputer readable medium 1000 may be any suitable computer readablemedium, such as a hard disk, solid state memory, flash memory, etc., andmay be non-recordable or recordable. The computer program 1020 comprisesinstructions for causing a processor system to perform said method orenrollment and/or reconstruction.

FIG. 7b shows in a schematic representation of a processor system 1140according to an embodiment. The processor system comprises one or moreintegrated circuits 1110. The architecture of the one or more integratedcircuits 1110 is schematically shown in FIG. 7b . Circuit 1110 comprisesa processing unit 1120, e.g., a CPU, for running computer programcomponents to execute a method according to an embodiment and/orimplement its modules or units. Circuit 1110 comprises a memory 1122 forstoring programming code, data, etc. Part of memory 1122 may beread-only. Circuit 1110 may comprise a communication element 1126, e.g.,an antenna, connectors or both, and the like. Circuit 1110 may comprisea dedicated integrated circuit 1124 for performing part or all of theprocessing defined in the method. Processor 1120, memory 1122, dedicatedIC 1124 and communication element 1126 may be connected to each othervia an interconnect 1130, say a bus. The processor system 1110 may bearranged for contact and/or contact-less communication, using an antennaand/or connectors, respectively.

For example, in an embodiment, the cryptographic device may comprise aprocessor circuit and a memory circuit, the processor being arranged toexecute software stored in the memory circuit. For example, theprocessor circuit may be an Intel Core i7 processor, ARM Cortex-R8, etc.The memory circuit may be an ROM circuit, or a non-volatile memory,e.g., a flash memory. The memory circuit may be a volatile memory, e.g.,an SRAM memory. In the latter case, the verification device may comprisea non-volatile software interface, e.g., a hard drive, a networkinterface, etc., arranged for providing the software.

It should be noted that the above-mentioned embodiments illustraterather than limit the invention, and that those skilled in the art willbe able to design many alternative embodiments.

In the claims, any reference signs placed between parentheses shall notbe construed as limiting the claim. Use of the verb “comprise” and itsconjugations does not exclude the presence of elements or steps otherthan those stated in a claim. The article “a” or “an” preceding anelement does not exclude the presence of a plurality of such elements.The invention may be implemented by means of hardware comprising severaldistinct elements, and by means of a suitably programmed computer. Inthe device claim enumerating several means, several of these means maybe embodied by one and the same item of hardware. The mere fact thatcertain measures are recited in mutually different dependent claims doesnot indicate that a combination of these measures cannot be used toadvantage.

In the claims references in parentheses refer to reference signs indrawings of exemplifying embodiments or to formulas of embodiments, thusincreasing the intelligibility of the claim. These references shall notbe construed as limiting the claim.

The invention claimed is:
 1. An electronic cryptographic device arranged to determine a cryptographic key, the cryptographic device being arranged for an enrollment phase and a later reconstruction phase, the cryptographic device comprising: a physically unclonable function arranged to produce a first noisy bit string during the enrollment phase and a second noisy bit string during the reconstruction phase, and a processor circuit configured to determine, during the enrollment phase, debiasing data from the first noisy bit string, the debiasing data marking a first part of the first noisy bit string as low bias susceptible, and marking a second part of the first noisy bit string as high bias susceptible, determine during the enrollment phase a first noise reduction data for the first part, and a second noise reduction data for the second part, noise reduction data allowing later correction during the reconstruction phase of differences between the second noisy bit string and the first noisy bit string, identify during the reconstruction phase a first part and a second part in the second noisy bit string based on the debiasing data, perform a first correction of differences between the first part of the second noisy bit string and the first part of the first noisy bit string based on the first noise reduction data thus obtaining first corrected bits, and perform a second correction of differences between the second part of the second noisy bit string and the second part of the first noisy bit string based on the second noise reduction data thus obtaining second corrected bits, wherein the first correction and second correction are independent from each other, compute at least one cryptographic key from the first corrected bits and the second corrected bits.
 2. An electronic cryptographic device as in claim 1, wherein the processor circuit is configured to select, during the enrollment phase, one or more first code words from an error correcting code and one or more second code words from an error correcting code, wherein determining a bit of the first noise reduction data comprises computing the offset between a corresponding bit in the first part of the first noisy bit string and a corresponding bit in the one or more first code words, and determining a bit of the second noise reduction data comprises computing the offset between a corresponding bit in the second part of the first noisy bit string and a corresponding bit in the one or more second code words.
 3. An electronic cryptographic device as in claim 2, wherein the one or more first code words are as long or longer as the first noisy bit string, wherein the one or more second code words are as long or longer as the first noisy bit string, each bit in the first noisy bit string corresponding to a bit in the one or more first code words and to a bit in the one or more second code words.
 4. An electronic cryptographic device as in claim 2, wherein the processor circuit is configured to: determine the offsets between the first noisy bit string and the one or more first code words only for the bits in the first part of the first noisy bit string, and determine the offsets between the first noisy bit string and the one or more second code words only for the bits in the second part of the first noisy bit string.
 5. An electronic cryptographic device as in claim 2, wherein the processor circuit is arranged to select the one or more first or second code words from the first or second error correcting code by encoding one or more further code words from a further error correcting code.
 6. An electronic cryptographic device as in claim 2, wherein the error correcting code is a concatenated code wherein the inner code is a repetition code.
 7. An electronic cryptographic device as in claim 1, wherein performing a first correction of differences comprises; obtaining one or more noisy first code words, by applying the first noise reduction data to bits in the first part of the second noisy bit string, and marking as erasures-bits, the bits in the one or more noisy first code words corresponding to bits in the second part of the second noisy bit string, correcting said one or more noisy first code words using an error correcting algorithm, and/or wherein performing a second correction of differences comprises obtaining one or more noisy second code words, by applying the second noise reduction data to bits in the second part of the second noisy bit string, and marking as erasures-bits, the bits in the one or more noisy second code words corresponding to bits in the first part of the second noisy bit string, and correcting said one or more noisy second code words using an error correcting algorithm.
 8. An electronic cryptographic device as in claim 1, wherein the first and second noisy bit string are partitioned in a first and second sequence of bit pairs respectively, the processor circuit being configured to identify bits in unequal bit pairs in the first sequence of bit pairs as low bias susceptible, and to identify bits in equal bit pairs in the first sequence of bit pairs as high bias susceptible.
 9. An electronic cryptographic device as in claim 8, wherein the debiasing data comprises a single bit for each pair in the first sequence of bit pairs identifying the pair as low or high bias susceptible, the first noise reduction data comprises a single bit for each pair in the first part of the first noisy bit string, said bit indicating the offset between the pair in the first part of the first noisy bit string and a corresponding pair in one or more first code words, and the second noise reduction data comprises a single bit for each pair in the second part of the first noisy bit string, said bit indicating the offset between the pair in the second part of the first noisy bit string and a corresponding pair in the one or more second code words.
 10. An electronic cryptographic device as in claim 1, wherein the combined bit size of the debiasing data, first noise reduction data and second noise reduction data equals the bit size of the first noisy bit string.
 11. An electronic cryptographic device as in claim 1, wherein the processor circuit is arranged to compute a single cryptographic key from at least part of the first corrected bits and at least part of the second corrected bits.
 12. An electronic cryptographic device as in claim 1, wherein the processor circuit is arranged to compute a first cryptographic key from at least part of the first corrected bits and a second cryptographic key from at least part of the second corrected bits. 